Encryption at rest in Amazon QLDB - Amazon Quantum Ledger Database (Amazon QLDB)

Encryption at rest in Amazon QLDB

All data stored in Amazon QLDB is fully encrypted at rest by default. QLDB encryption at rest provides enhanced security by encrypting all ledger data at rest using encryption keys in AWS Key Management Service (AWS KMS). This functionality helps reduce the operational burden and complexity involved in protecting sensitive data. With encryption at rest, you can build security-sensitive ledger applications that meet strict encryption compliance and regulatory requirements.

Encryption at rest integrates with AWS KMS for managing the encryption key that is used to protect your QLDB ledgers. For more information about AWS KMS, see AWS Key Management Service concepts in the AWS Key Management Service Developer Guide.

In QLDB, you can specify the type of AWS KMS key for each ledger resource. When you create a new ledger or update an existing ledger, you can choose one of the following types of KMS keys to protect your ledger data:

  • AWS owned key – The default encryption type. The key is owned by QLDB (no additional charge).

  • Customer managed key – The key is stored in your AWS account and is created, owned, and managed by you. You have full control over the key (AWS KMS charges apply).


Amazon QLDB launched support for customer managed AWS KMS keys on July 22, 2021. Any ledgers that were created before the launch are protected by AWS owned keys by default, but are currently not eligible for encryption at rest using customer managed keys.

You can view the creation time of your ledger on the QLDB console.

When you access a ledger, QLDB decrypts the data transparently. You can switch between the AWS owned key and the customer managed key at any given time. You don't have to change any code or applications to use or manage encrypted data.

You can specify an encryption key when you create a new ledger or change the encryption key on an existing ledger by using the AWS Management Console, the QLDB API, or the AWS Command Line Interface (AWS CLI). For more information, see Using customer managed keys in Amazon QLDB.


By default, Amazon QLDB automatically enables encryption at rest using AWS owned keys at no additional charge. However, AWS KMS charges apply for using a customer managed key. For information about pricing, see AWS Key Management Service pricing.

QLDB encryption at rest is available in all AWS Regions where QLDB is available.